The blkxor function in pwhash_scryptsalsa208sha256_nosse.c breaks strict aliasing rules (for ARCH_BITS==64). It load/stores from a buffer via uint64_t* that is otherwise accessed via uint32_t* only. We just had trouble with this in core scrypt and clang-15 LTO mode and found upstream scrypt had already fixed it in Tarsnap/scrypt@209fd27

I noticed a copy / similar problematic code for ARCH_BITS==64 in libsodum version.

Thanks for the heads up!

It should be fixed now, including in stable.

Thanks again!